diff --git a/credentialproviderpackage/cmd/aws-credential-provider/main.go b/credentialproviderpackage/cmd/aws-credential-provider/main.go index f2d1ef9ff..b1621f8af 100644 --- a/credentialproviderpackage/cmd/aws-credential-provider/main.go +++ b/credentialproviderpackage/cmd/aws-credential-provider/main.go @@ -2,7 +2,6 @@ package main import ( _ "embed" - "io/fs" "os" "strings" @@ -15,8 +14,20 @@ import ( "credential-provider/pkg/log" ) +const ( + bottleRocket = "bottlerocket" + socketPath = "/run/api.sock" + + // Aws Credentials + credSrcPath = "/secrets/aws-creds/config" + awsProfile = "eksa-packages" + credWatchData = "/secrets/aws-creds/..data" + credWatchPath = "/secrets/aws-creds/" +) + func main() { var configurator cfg.Configurator + var err error osType := strings.ToLower(os.Getenv("OS_TYPE")) if osType == "" { log.ErrorLogger.Println("Missing Environment Variable OS_TYPE") @@ -24,26 +35,20 @@ func main() { } profile := os.Getenv("AWS_PROFILE") if profile == "" { - profile = constants.Profile + profile = awsProfile } config := createCredentialProviderConfigOptions() - if osType == constants.BottleRocket { - socket, err := os.Stat(constants.SocketPath) + if osType == bottleRocket { + configurator, err = bottlerocket.NewBottleRocketConfigurator(socketPath) if err != nil { log.ErrorLogger.Fatal(err) } - if socket.Mode().Type() == fs.ModeSocket { - configurator = bottlerocket.NewBottleRocketConfigurator(constants.SocketPath) - - } else { - log.ErrorLogger.Fatalf("Unexpected type %s expected socket\n", socket.Mode().Type()) - } } else { configurator = linux.NewLinuxConfigurator() } configurator.Initialize(config) - err := configurator.UpdateAWSCredentials(constants.CredSrcPath, profile) + err = configurator.UpdateAWSCredentials(credSrcPath, profile) if err != nil { log.ErrorLogger.Fatal(err) } @@ -78,8 +83,8 @@ func main() { return } if event.Has(fsnotify.Create) { - if event.Name == constants.CredWatchData { - err = configurator.UpdateAWSCredentials(constants.CredSrcPath, profile) + if event.Name == credWatchData { + err = configurator.UpdateAWSCredentials(credSrcPath, profile) if err != nil { log.ErrorLogger.Fatal(err) } @@ -95,7 +100,7 @@ func main() { } }() - err = watcher.Add(constants.CredWatchPath) + err = watcher.Add(credWatchPath) if err != nil { log.ErrorLogger.Fatal(err) } diff --git a/credentialproviderpackage/pkg/configurator/bottlerocket/bottlerocket.go b/credentialproviderpackage/pkg/configurator/bottlerocket/bottlerocket.go index d3d6cc15b..93adb9e45 100644 --- a/credentialproviderpackage/pkg/configurator/bottlerocket/bottlerocket.go +++ b/credentialproviderpackage/pkg/configurator/bottlerocket/bottlerocket.go @@ -6,9 +6,11 @@ import ( "encoding/base64" "encoding/json" "fmt" + "io/fs" "io/ioutil" "net" "net/http" + "os" "credential-provider/pkg/configurator" "credential-provider/pkg/constants" @@ -21,9 +23,9 @@ type bottleRocket struct { } type awsCred struct { - Aws Aws `json:"aws"` + Aws aws `json:"aws"` } -type Aws struct { +type aws struct { Config string `json:"config"` Profile string `json:"profile"` Region string `json:"region"` @@ -46,7 +48,14 @@ type kubernetes struct { var _ configurator.Configurator = (*bottleRocket)(nil) -func NewBottleRocketConfigurator(socketPath string) *bottleRocket { +func NewBottleRocketConfigurator(socketPath string) (*bottleRocket, error) { + socket, err := os.Stat(socketPath) + if err != nil { + return nil, err + } + if socket.Mode().Type() != fs.ModeSocket { + return nil, fmt.Errorf("Unexpected type %s expected socket\n", socket.Mode().Type()) + } return &bottleRocket{ client: http.Client{ Transport: &http.Transport{ @@ -55,7 +64,7 @@ func NewBottleRocketConfigurator(socketPath string) *bottleRocket { }, }, }, - } + }, nil } func (b *bottleRocket) Initialize(config constants.CredentialProviderConfigOptions) { @@ -137,7 +146,7 @@ func (b *bottleRocket) sendSettingsSetRequest(payload []byte) error { } func createCredentialsPayload(content string, profile string) ([]byte, error) { - aws := Aws{ + aws := aws{ Config: content, Profile: profile, } diff --git a/credentialproviderpackage/pkg/configurator/bottlerocket/bottlerocket_test.go b/credentialproviderpackage/pkg/configurator/bottlerocket/bottlerocket_test.go index ee9a5308d..6490a06e4 100644 --- a/credentialproviderpackage/pkg/configurator/bottlerocket/bottlerocket_test.go +++ b/credentialproviderpackage/pkg/configurator/bottlerocket/bottlerocket_test.go @@ -320,8 +320,7 @@ func validatePatchRequest(w http.ResponseWriter, r *http.Request, t *testing.T, func Test_bottleRocket_Initialize(t *testing.T) { type args struct { - socketPath string - config constants.CredentialProviderConfigOptions + config constants.CredentialProviderConfigOptions } tests := []struct { name string @@ -332,7 +331,6 @@ func Test_bottleRocket_Initialize(t *testing.T) { name: "simple initialization", baseUrl: "http://localhost/", args: args{ - socketPath: "/test/path.sock", config: constants.CredentialProviderConfigOptions{ ImagePatterns: []string{constants.DefaultImagePattern}, DefaultCacheDuration: constants.DefaultCacheDuration, @@ -342,7 +340,7 @@ func Test_bottleRocket_Initialize(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - b := NewBottleRocketConfigurator(tt.args.socketPath) + b := &bottleRocket{} b.Initialize(tt.args.config) assert.Equal(t, tt.baseUrl, b.baseURL) assert.Equal(t, tt.args.config, b.config) diff --git a/credentialproviderpackage/pkg/configurator/linux/linux.go b/credentialproviderpackage/pkg/configurator/linux/linux.go index 603239611..a493927fa 100644 --- a/credentialproviderpackage/pkg/configurator/linux/linux.go +++ b/credentialproviderpackage/pkg/configurator/linux/linux.go @@ -20,6 +20,18 @@ import ( //go:embed templates/credential-provider-config.yaml var credProviderTemplate string +const ( + binPath = "/eksa-binaries/" + basePath = "/eksa-packages/" + credOutFile = "aws-creds" + mountedExtraArgs = "/node-files/kubelet-extra-args" + credProviderFile = "credential-provider-config.yaml" + + // Binaries + ecrCredProviderBinary = "ecr-credential-provider" + iamRolesSigningBinary = "aws_signing_helper" +) + type linuxOS struct { profile string extraArgsPath string @@ -32,8 +44,8 @@ var _ configurator.Configurator = (*linuxOS)(nil) func NewLinuxConfigurator() *linuxOS { return &linuxOS{ profile: "", - extraArgsPath: constants.MountedExtraArgs, - basePath: constants.BasePath, + extraArgsPath: mountedExtraArgs, + basePath: basePath, } } @@ -43,7 +55,7 @@ func (c *linuxOS) Initialize(config constants.CredentialProviderConfigOptions) { func (c *linuxOS) UpdateAWSCredentials(sourcePath string, profile string) error { c.profile = profile - dstPath := c.basePath + constants.CredOutFile + dstPath := c.basePath + credOutFile err := copyWithPermissons(sourcePath, dstPath, 0600) return err @@ -141,8 +153,8 @@ func copyWithPermissons(srcpath, dstpath string, permission os.FileMode) (err er } func copyBinaries() (string, error) { - srcPath := constants.BinPath + constants.ECRCredProviderBinary - dstPath := constants.BasePath + constants.ECRCredProviderBinary + srcPath := binPath + ecrCredProviderBinary + dstPath := basePath + ecrCredProviderBinary err := copyWithPermissons(srcPath, dstPath, 0700) if err != nil { return "", err @@ -153,8 +165,8 @@ func copyBinaries() (string, error) { return "", err } - srcPath = constants.BinPath + constants.IAMRolesSigningBinary - dstPath = constants.BasePath + constants.IAMRolesSigningBinary + srcPath = binPath + iamRolesSigningBinary + dstPath = basePath + iamRolesSigningBinary err = copyWithPermissons(srcPath, dstPath, 0700) if err != nil { return "", err @@ -164,19 +176,19 @@ func copyBinaries() (string, error) { if err != nil { return "", err } - return fmt.Sprintf(" --image-credential-provider-bin-dir=%s", constants.BasePath), nil + return fmt.Sprintf(" --image-credential-provider-bin-dir=%s", basePath), nil } func (c *linuxOS) createConfig() (string, error) { values := map[string]interface{}{ "profile": c.profile, - "config": constants.BasePath + constants.CredOutFile, - "home": constants.BasePath, + "config": basePath + credOutFile, + "home": basePath, "imagePattern": c.config.ImagePatterns, "cacheDuration": c.config.DefaultCacheDuration, } - dstPath := c.basePath + constants.CredProviderFile + dstPath := c.basePath + credProviderFile bytes, err := templater.Execute(credProviderTemplate, values) if err != nil { diff --git a/credentialproviderpackage/pkg/configurator/linux/linux_test.go b/credentialproviderpackage/pkg/configurator/linux/linux_test.go index 17d05eed0..9ad900027 100644 --- a/credentialproviderpackage/pkg/configurator/linux/linux_test.go +++ b/credentialproviderpackage/pkg/configurator/linux/linux_test.go @@ -44,10 +44,10 @@ func Test_linuxOS_updateKubeletArguments(t *testing.T) { }, }, args: args{line: ""}, - outputConfigPath: dir + "/" + constants.CredProviderFile, + outputConfigPath: dir + "/" + credProviderFile, configWantPath: "testdata/expected-config.yaml", want: fmt.Sprintf(" --feature-gates=KubeletCredentialProviders=true "+ - "--image-credential-provider-config=%s%s", dir, constants.CredProviderFile), + "--image-credential-provider-config=%s%s", dir, credProviderFile), }, { name: "test multiple match patterns", @@ -62,10 +62,10 @@ func Test_linuxOS_updateKubeletArguments(t *testing.T) { }, }, args: args{line: ""}, - outputConfigPath: dir + "/" + constants.CredProviderFile, + outputConfigPath: dir + "/" + credProviderFile, configWantPath: "testdata/expected-config-multiple-patterns.yaml", want: fmt.Sprintf(" --feature-gates=KubeletCredentialProviders=true "+ - "--image-credential-provider-config=%s%s", dir, constants.CredProviderFile), + "--image-credential-provider-config=%s%s", dir, credProviderFile), }, { name: "skip credential provider if already provided", @@ -79,9 +79,9 @@ func Test_linuxOS_updateKubeletArguments(t *testing.T) { }, }, args: args{line: " --feature-gates=KubeletCredentialProviders=true"}, - outputConfigPath: dir + "/" + constants.CredProviderFile, + outputConfigPath: dir + "/" + credProviderFile, configWantPath: "testdata/expected-config.yaml", - want: fmt.Sprintf(" --image-credential-provider-config=%s%s", dir, constants.CredProviderFile), + want: fmt.Sprintf(" --image-credential-provider-config=%s%s", dir, credProviderFile), }, { name: "skip both cred provider and feature gate if provided", @@ -95,7 +95,7 @@ func Test_linuxOS_updateKubeletArguments(t *testing.T) { }, }, args: args{line: " --feature-gates=KubeletCredentialProviders=false --image-credential-provider-config=blah"}, - outputConfigPath: dir + "/" + constants.CredProviderFile, + outputConfigPath: dir + "/" + credProviderFile, configWantPath: "", want: "", }, @@ -158,7 +158,7 @@ func Test_linuxOS_UpdateAWSCredentials(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - dstFile := tt.fields.basePath + constants.CredOutFile + dstFile := tt.fields.basePath + credOutFile c := &linuxOS{ profile: tt.fields.profile, extraArgsPath: tt.fields.extraArgsPath, diff --git a/credentialproviderpackage/pkg/constants/constants.go b/credentialproviderpackage/pkg/constants/constants.go index 2a4205bbd..41a04ea29 100644 --- a/credentialproviderpackage/pkg/constants/constants.go +++ b/credentialproviderpackage/pkg/constants/constants.go @@ -4,35 +4,6 @@ const ( // Credential Provider constants DefaultImagePattern = "*.dkr.ecr.*.amazonaws.com" DefaultCacheDuration = "30m" - CredProviderFile = "credential-provider-config.yaml" - - // Aws Credentials - CredSrcPath = "/secrets/aws-creds/config" - Profile = "eksa-packages" - CredWatchData = "/secrets/aws-creds/..data" - CredWatchPath = "/secrets/aws-creds/" - - // BottleRocket - SocketPath = "/run/api.sock" - - // Linux - BinPath = "/eksa-binaries/" - BasePath = "/eksa-packages/" - CredOutFile = "aws-creds" - MountedExtraArgs = "/node-files/kubelet-extra-args" - - // Binaries - ECRCredProviderBinary = "ecr-credential-provider" - IAMRolesSigningBinary = "aws_signing_helper" -) - -type OSType string - -const ( - AmazonLinux OSType = "amazonlinux" - Ubuntu = "ubuntu" - Redhat = "redhat" - BottleRocket = "bottlerocket" ) type CredentialProviderConfigOptions struct {